Intercept Flows and checking raw LDAP attributes
cantor.2 at osu.edu
Mon Aug 3 19:27:37 EDT 2015
On 8/3/15, 7:20 PM, "users on behalf of Jeffrey Crawford" <users-bounces at shibboleth.net on behalf of jeffreyc at ucsc.edu> wrote:
>I feel like I'm missing something simple here, I have an interrupt flow that will work based off of the context-check example, however if the SAML attribute eduPersonAffiliation is not released to the SP in question and I'm trying to check against it, I get the following in the logs.
That's just how it was implemented. The next version includes a separately tracked collection of the unfiltered attributes and most of the internal components will then operate on the unfiltered set.
>It only works if the attribute-filter has eduPersonAffiliation released to the SP, but I want to check that attribute even if it's not released, Can I check against the raw LDAP attribute
> as opposed to the attributes in the SAML profile?
There is no way it will ever operate on raw LDAP attributes. The IdP operates solely on IdPAttributes produced by the resolver and that won't ever change.
More information about the users